Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 7733 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lockdown preventing valid application from running

Ken Etter

I have an application that was updated and now Sophos is blocking it from running.  In the Win10 Event Viewer, HitmanPro.Alert Events, I see Mitigation: Lockdown on application javaw.exe.  The actual application is a java app that is called from a web browser.  If I remove Sophos from the PC, it works perfectly.  I have tried a mix of global exclusions and local policy exclusions and nothing appears to have any affect on the computer.

If I look in the Threat Analysis Center, the processes listed are chrome.exe, zcchelper.exe, and javaw.exe.  But file exceptions for zcchelper.exe and javaw.exe don't help.

Any suggestions for fixing this?  At this point, I am planning to remove Sophos from my Management PC so I can do my job.  I've been running Sophos AV for ages and this is the first time I have ever had it prevent me from actually doing legitimate work.  It is a bit frustrating.

Thanks in advance for any help.
Ken



This thread was automatically locked due to age.
Parents
  • +1

    Hi Ken,

    If a Java app is being called from a web browser I suspect the feature may be working as expected.

    In terms of creating an exclusion, a file/folder exclusion will not work as this type of exclusion is for Anti-virus while Intercept X is causing the block.

    If you check Event Viewer again and review these Event ID 911's, are the thumbprints at the bottom changing?  If not a simple exclude from the endpoint's events in Sophos Central should do the trick (Detected Exploits exclusion.)

    If the thumbprint is constantly changing we would have to create a more general exclusion.  Clone your Threat Protection policy and apply it only to you, then either disable "Protect Java applications" under "Mitigate exploits in vulnerable applications".  The other option is to create a global Exploit Mitigation exclusion for Java but this would be for your entire company.

  • 0 in reply to MEric

    Thanks for the quick reply!

    The thumbprint remains the same.  Unfortunately, now the events are not being updated.  I have items that show up in my event viewer, but the last event in the local Sophos events or the Sophos Central events is from an hour ago.  Not sure if something got messed up with all my testing, but I'll give it some time and see what happens.

  • 0 in reply to Ken Etter

    I suspect the endpoint may not have received the policy yet.  One way to check this is to look at the registry key HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert - WhiteThumbprints.  The thumbprint in the Event Viewer log should be listed as a data entry in this key.

Reply
  • 0 in reply to Ken Etter

    I suspect the endpoint may not have received the policy yet.  One way to check this is to look at the registry key HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert - WhiteThumbprints.  The thumbprint in the Event Viewer log should be listed as a data entry in this key.

Children
  • 0 in reply to MEric

    A customer of ours has the same issue. 

    As the only message regarding this issue was "Nothing found to clean up" which is classified as "Information" it did not get send to the customer. He finally found the following page and messaged me afterwards.

    community.microfocus.com/.../2807680

    We could use the workaround of unticking "Protect Java applications". 

    We could not use Whitelisting of the specific detected exploit in Exclusions (did not show up in list).

     

    How can we fix this issue without deactivation the "Protect Java application"-functionality?

  • 0 in reply to FPTHE

      Talk about a small world!  :-)  That link you posted in the Micro Focus community is mine.  Is your customer also using ZENworks Configuration Management?

    So I can make things work if I create a policy and untick "Protect Java applications".  But no exploit shows up and there is no way to just specify the specific thumbprint of the application.  I would much prefer to be more specific and not open things up any more than necessary.  If  or anyone else has any suggestions, I would appreciate it.

    Thanks!

    Ken

  • 0 in reply to Ken Etter

    Yes, He uses a lot of Microfocus Produkts, Like groupwise, oes or zenworks.

  • 0 in reply to Ken Etter

    Turning off Protect Java applications is definitely not ideal as it's a bit broad.  By chance are you running on Java version 8?  If not is it possible for the application to run on this version?  Java 8 comes with a lot of security patches that may prevent this detection from coming up.  If the issue still persists I'd suggest raising up a support case to ask if there are any other options.

  • 0 in reply to MEric

    After Oracle changed licensing, we dropped Java 8.  We have very little use for it and it was a hassle getting a license for such minimal usage.  But I do have a couple business critical management tools that require Java, so I am currently running OpenJDK 11.

    I do have a support case open and I am waiting on a response from Sophos tech support.  Hopefully I get some assistance.  So far you have helped me more than they have.  :-)

    Ken

  • +1 in reply to Ken Etter

    So rather than disabling "Protect Java applications", Sophos support worked with me and we found that making an Exploit Mitigation exception for gptool.exe, javaw.exe, and zcchelper.exe was sufficient.  I'm not sure if all three are necessary, but it definitely works this way.  A little trial and error might narrow it down to just one or two of them.

  • 0 in reply to Ken Etter

    But wouldn't using the Exploit Mitigation exception for "javaw.exe" be very similar to disabling "Protect Java application"? I mean it would technically be only the one executable of the java family. It wouldn't be as broad as the previous solution though.

  • 0 in reply to FPTHE

    I just worked on this some more to tighten things up.  Turns out GPTool.exe and ZCCHelper.exe do not need to be excluded, so I deleted the exceptions for them.  I modified the javaw.exe exception to include the exact path.  It is located in the ZENworks folder.  So yes, it is similar, but disabling "Protect Java application" opened up all of Java and the exception as I now have it is limited to this one executable in this one location.

    I do wish I could just select the thumbprint like I have in the past, but it appears Sophos has changed something, so this is the best I can do at the moment.  Although I am open to suggestions if anyone has any.

    Ken

  • 0 in reply to Ken Etter

    Thank you Ken for sharing what you found out.

    We will create that exception on our end too.

    Florian

Unfiltered HTML